- Newest
- Most votes
- Most comments
In the AWS Client VPN once the endpoint is created there is no way to change the Client Certificate ARN. However, you can replace the Client certificate using the same ACM ARM referring the steps detailed in link [1].
AWS Certificate Manager can support the re-import feature. The ARN of the certificate will not change and the newly imported certificate will be automatically deployed to the associated resources. However, during the reimport process we have some restrictions on old and new certificate.
- You can add or remove domain names.
- You cannot remove all of the domain names from a certificate.
- If Key Usage extensions are present in the originally imported certificate, you can add new extension values, but you cannot remove existing values.
- If Extended Key Usage extensions are present in the originally imported certificate, you can add new extension values, but you cannot remove existing values.
- The key type and size cannot be changed.
- You cannot apply resource tags when reimporting a certificate.
However, there is no restriction that your Issuer must be the same CA, so even if the CA is changed, you still can perform reimport as long as the above conditions are met.
Afterwards, you can re-download the configuration file and add the client certificate and key for the users to be able to connect to the endpoint again.
To download and prepare the Client VPN endpoint configuration file
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
- In the navigation pane, choose Client VPN Endpoints.
- Select the Client VPN endpoint that you created for this tutorial, and choose Download client configuration.
- Locate the client certificate and key that were generated. The client certificate and key can be found in the following locations in the cloned OpenVPN easy-rsa repo:
- Client certificate — easy-rsa/easyrsa3/pki/issued/client1.domain.tld.crt
- Client key — easy-rsa/easyrsa3/pki/private/client1.domain.tld.key
-
Open the Client VPN endpoint configuration file using your preferred text editor. Add <cert></cert> and <key></key> tags to the file. Place the contents of the client certificate and the contents of the private key between the corresponding tags, as such:
<cert> Contents of client certificate (.crt) file </cert> <key> Contents of private key (.key) file </key>
-
Locate the line that specifies the Client VPN endpoint DNS name, and prepend a random string to it so that the format is random_string.displayed_DNS_name. For example:
- Original DNS name: cvpn-endpoint-0102bc4c2eEXAMPLE.prod.clientvpn.us-west-2.amazonaws.com
- Modified DNS name: asdfa.cvpn-endpoint-0102bc4c2eEXAMPLE.prod.clientvpn.us-west-2.amazonaws.com
- Save and close the Client VPN endpoint configuration file.
Also, make sure that the users have added the profile with the new OVPN configuration file.
References:
[1] Reimporting a certificate - https://docs.aws.amazon.com/acm/latest/userguide/import-reimport.html
[2] Download the Client VPN endpoint configuration file - https://docs.aws.amazon.com/vpn/latest/clientvpn-admin/cvpn-getting-started.html#cvpn-getting-started-config
Relevant content
- asked 2 years ago
- Accepted Answerasked 6 years ago
- Accepted Answerasked 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago